| oc |
|
|---|---|
|
So, the idea is, let everybody change their emails, but prevent security flaws by making reactivation on email change mandatory.
Process is, if user is able to change his/her email (still with the option from administration/users) and if he changes his email, an activation email is being send, and this way email's validity is checked, and one mail/one user policy is remain safe. Already coded and imported the language stuff, but because of the "no enhancement after Jan 25" it is N-0.1.0 feature. (If not liked, sure will be cancelled) What do you think ? ~edit: so, code in, users.profile.inc.php, right after the code:
$ruserbirthdate = ($rmonth==0 || $rday ==0 || $ryear==0) ? 0 : sed_mktime(1, 0, 0, $rmonth, $rday, $ryear);
if (!$cfg['useremailchange'])
{ $ruseremail = $urr['user_email']; }
Same on that file, change the whole $profile_form_email with:
$profile_form_email = ($cfg['useremailchange']) ? "<input type=\"text\" class=\"text\" name=\"ruseremail\" value=\"".sed_cc($urr['user_email'])."\" size=\"32\" maxlength=\"64\" />" : "<input type=\"text\" class=\"text\" name=\"ruseremail\" value=\"".sed_cc($urr['user_email'])."\" size=\"32\" maxlength=\"64\" disabled=\"disabled\" />";
And in users.register.inc.php, change whole 'validate' part with: http://www.cotonti.com/pastebin/9 And of course, last, add after {USERS_PROFILE_EMAIL}: <div style="font-size: xx-small;">{PHP.skinlang.usersprofile.Emailnotes}</div>Not the perfect usage of new Pastebin but I wanted you to see code and bug fix it, and to keep the code here safely. |
|
| This post was edited by oc (2009-01-31 07:56, 15 years ago) |
| Kilandor |
|
|---|---|
|
Sounds fine to me, But what if they type the email wrong, then there account is locked out and they can't do anything. I think the proper way it should be done is, it sends the email to the current email address in the DB, and it doesn't instantly change it. Also, I don't think there is any reason to change the group
That way say someone steals your account the email change request goes to you, and not the person trying to steal your account. And cool you used my pastebin :) |
| Brock |
|
|---|---|
|
Kilandor's way makes sense, but what happens in the case of you wanting to change your email due to the fact your old email is no longer valid?
Web Design Database - www.wddb.com
|
| oc |
|
|---|---|
|
(I posted before seeing Brock's post)
@Brock: Well, you are right. This is why my old method is better. I actually don't see no reason to take precautions after user/hacker is on the profile. Actually most of the systems doesn't have this method (I've never seen before for myself). And if user intends to change his/her email, after reading instructions and warnings he should be careful. Anyway, I coded two different methods, pick one. (Second one is not my favourite, but there are some features we can use even if we choose one (like no mail send if email checks on reg is off-same end) @Kilandor: You can't foresee what may happen if I go your way. I actually was not too happy with the recent hack, because I used "user session identifier" but it was a strict hack, I won't try and explain the reasons I changed user group, but this code may be better. So, forget all coded before, new code is: users.profile.inc.php Before the code:
/* ============= */
default:
/* ============= */
break;
After the code:
$rusertheme = ($ruserskin != $row['user_skin']) ? $ruserskin : $rusertheme;
After the code:
$ruserbirthdate = ($rmonth==0 || $rday ==0 || $ryear==0) ? 0 : sed_mktime(1, 0, 0, $rmonth, $rday, $ryear);
http://www.cotonti.com/pastebin/12 Of course, the update sql part part would be like this now:
user_email='".sed_sql_prep($ruseremail)."',
Replaced with: $newmail$profile_form_email and skin tags remain like my previous post, like I said these are actually notes for myself, not to forget how code was, It would be nice the new release to come out, not able to code sucks. Oh, I almost forgot, say hello to our little friend:
ALTER TABLE sed_users ADD COLUMN user_newmail varchar(64) collate utf8_unicode_ci NOT NULL default '';
|
|
| This post was edited by oc (2009-01-31 23:46, 15 years ago) |
| Trustmaster |
|
|---|---|
|
Well, my 5 cents. I sometimes encounter these problems about emails:
[list=1] Well, if you talk security, the problem is that if somebody has intercepted user's session, he can go to profile, change email and request password recovery for that email. And this way he steals the account completely. If all you want to avoid is this problem, I would advise just prompt for a password when user changes email. No complex coding, no extra database stuff. May the Source be with you!
|
| oc |
|
|---|---|
|
It is not all about account security. It is also about site security. Email validation is something we can depend on in these situations.
|
| Kilandor |
|
|---|---|
|
Ah good idea man, I didn't think about password prompt to change email.
|
| Trustmaster |
|
|---|---|
|
To conclude it all, what we need to do is:
[list=1] Disagreed that email validation is something that puts bad guys away, though. It's not a problem to register a new mailbox for doing some harm  May the Source be with you!
|
| oc |
|
|---|---|
|
After releasing the N-0.0.2, I'll handle this, I'm positive for password check, but email validation is good for security. If we are going to think that way, system will never be secure.
|
| Trustmaster |
|
|---|---|
|
Could you explain why it is so good?
May the Source be with you!
|
| m_ogz |
|
|---|---|
|
He things, he can track bad guys with their e-mails (I suppose).
Ne hasta bekler sabahı, ne taze ölüyü mezar, ne de şeytan bir günahı, seni beklediğim kadar;<br /><br />
Geçti istemem gelmeni, yoklugunda buldum seni, bırak vehmimde gölgeni, gelme artık neye yarar... |
| oc |
|
|---|---|
|
It is amazing that there is an actual plugin for this:
http://www.neocrome.net/page.php?id=2070 I did not know about this, codes are not likely but it is really interesting that this has been done before exact method and nobody knows. |
| Dilster3000 |
|
|---|---|
|
Well,the idea i going 50%,50% in my head....but i like it :)
|
| Antar |
|
|---|---|
# oc : It is amazing that there is an actual plugin for this:I am using this at least 2 years |
